Burp Suite User Forum

Create new post

Hex encoded characters in custom parameter from macro response

Andrew | Last updated: Jan 07, 2016 10:58PM UTC

I'm trying to work with a JSF application that uses a ViewState parameter as a CSRF token. I have setup a macro to grab the token and use it in requests, but character encoding is preventing this working. The response from the first request is as follows: <input type="hidden" name="javax.faces.ViewState" id="j_id1:javax.faces.ViewState:0" value="-5780607978369140315&#x3a;4733418508590325778" autocomplete="off" /> As you can see, the colon in the middle of the token is encoded as &#3a; When the token is re-used by the application, each single character is re-encoded using URL encoding: &javax.faces.ViewState=-5780607978369140315%26%23x3a%3b4733418508590325778 This happens irrespective of the setting "Extracted value is URL encoded". Is there anyway to deal with this in Burp?

PortSwigger Agent | Last updated: Jan 08, 2016 10:10AM UTC

The actual problem here appears to be that Burp isn't currently decoding the HTML-encoded entity in the middle of the token as it appears in the HTML. If that was being correctly HTML-decoded on arrival, then the value submitted later should be correct. Burp should be dealing with HTML-encoding correctly in this situation. Just to check: are you using the latest version of Burp?

Burp User | Last updated: Jan 08, 2016 01:47PM UTC

Yes - 1.6.32 Pro. The whole app seems to be throwing a lot of HTML encoded characters at me. One issues I have showing is "HTML does not specify charset" - could this be causing it?

Burp User | Last updated: Jan 08, 2016 01:59PM UTC

I've written a session handler to deal with it for now. Would be interesting to see what is going on with it though. Unfortunately work is not public so can't share URL.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.